Intel’s Software Guard Extensions (SGX) are under the spotlight again after the chipmaker disclosed several newly discovered vulnerabilities affecting the tech, and recommended users update their firmware.
The security holes are among the latest disclosures listed on Intel’s Security Center page. These cover a wide range of Intel products including Xeon processors, network adapters, and also software.
Overall, there were 31 advisories added to the Intel Security Center as of February 14, as we noted here. There were five CVE-listed SGX-related security holes tackled in that Patch Tuesday patch.
Two of the SGX vulnerabilities involve potential escalation of privilege that could lead to information disclosure, which is awkward for a feature that is supposed to enable secure processing of sensitive data inside encrypted memory areas known as enclaves.
One, CVE-2022-38090, has a severity rating of medium and affects a number of Intel processors, including the 3rd Gen Xeon Scalable server chips, which have only recently been superseded by the 4th Gen “Sapphire Rapids” products.
Intel’s description for this explains: “Improper isolation of shared resources in some Intel Processors when using Intel Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.”
Intel recommends that users of affected products update to the latest firmware version provided by the system vendor.
Another, CVE-2022-33196, has a severity rating of high and also affects the 3rd Gen Xeon Scalable chips, as well as the Xeon D Processors. Intel said it will release BIOS and microcode updates for the affected chips.
The description for this reveals that: “Incorrect default permissions in some memory controller configurations for some Intel Xeon Processors when using Intel Software Guard Extensions may allow a privileged user to potentially enable escalation of privilege via local access.”
Another issue affecting SGX is with the actual software development kit (SDK). This is rated low in severity, but might still potentially enable information disclosure via local access, according to Intel, through improper conditions check in the software. The company said it will release updates to mitigate this.
SGX was first introduced in 2015 with the Skylake generation Intel Core processors. It has been plagued with vulnerabilities, and was deprecated in client-focused chips from the 11th and 12th Gen Core processors.
APIC fail: Intel ‘Sunny Cove’ chips with SGX spill secrets
However, there are other issues in the latest disclosures that are not SGX related, including high-rated escalation of privilege bugs in the Intel Server Platform Services (SPS) firmware (CVE-2022-36348), for which Intel said it will release firmware updates.
Another high rated issue also affects the 3rd Gen Xeon Scalable server chips and some Atom processors. CVE-2022-21216, meanwhile, may allow a privileged user to enable escalation of privilege via adjacent network access due to insufficient granularity of access control in out-of-band management, Intel stated.
Again, the chipmaker has promised to release firmware updates to mitigate against this. ®